Introducción
Instalación:
https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli
Hola mundo en terraform
Vamos a crear un hola mundo en una maquina virtual de GCE con terraform
touch main.tf
Terraform lee todos los archivos .tf del directorio.
Provider
Plugin que interactua con un servicio de un proveedor de cloud.
provider "google" {
region = "us-central-1"
}
Resources
Unidad basica de configuración en terraform
resource "google_compute_instance" "nginx-server" {
project = "sils-keeper-infra"
name = "nginx-server"
machine_type = "n1-standard-1"
zone = "us-central1-a"
boot_disk {
initialize_params {
image = "ubuntu-minimal-2210-kinetic-amd64-v20230126"
}
}
network_interface {
network = "default"
access_config {}
}
}
Comandos
terraform init # Iniciar directorio de trabajo
terraform plan # Generar plan de ejecucion
terraform apply # Aplica los cambios
terraform destroy # Elimina los recursos
Crear maquina virutal
terraform plan
Output:
terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# google_compute_instance.nginx-server will be created
+ resource "google_compute_instance" "nginx-server" {
+ can_ip_forward = false
+ cpu_platform = (known after apply)
+ creation_timestamp = (known after apply)
+ current_status = (known after apply)
+ deletion_protection = false
+ effective_labels = {
+ "goog-terraform-provisioned" = "true"
}
+ id = (known after apply)
+ instance_id = (known after apply)
+ label_fingerprint = (known after apply)
+ machine_type = "n1-standard-1"
+ metadata_fingerprint = (known after apply)
+ min_cpu_platform = (known after apply)
+ name = "nginx-server"
+ project = "sils-keeper-infra"
+ self_link = (known after apply)
+ tags_fingerprint = (known after apply)
+ terraform_labels = {
+ "goog-terraform-provisioned" = "true"
}
+ zone = "us-central1-a"
+ boot_disk {
+ auto_delete = true
+ device_name = (known after apply)
+ disk_encryption_key_sha256 = (known after apply)
+ guest_os_features = (known after apply)
+ kms_key_self_link = (known after apply)
+ mode = "READ_WRITE"
+ source = (known after apply)
+ initialize_params {
+ architecture = (known after apply)
+ image = "ubuntu-minimal-2210-kinetic-amd64-v20230126"
+ labels = (known after apply)
+ provisioned_iops = (known after apply)
+ provisioned_throughput = (known after apply)
+ resource_policies = (known after apply)
+ size = (known after apply)
+ snapshot = (known after apply)
+ type = (known after apply)
}
}
+ confidential_instance_config (known after apply)
+ guest_accelerator (known after apply)
+ network_interface {
+ internal_ipv6_prefix_length = (known after apply)
+ ipv6_access_type = (known after apply)
+ ipv6_address = (known after apply)
+ name = (known after apply)
+ network = "default"
+ network_attachment = (known after apply)
+ network_ip = (known after apply)
+ stack_type = (known after apply)
+ subnetwork = (known after apply)
+ subnetwork_project = (known after apply)
+ access_config {
+ nat_ip = (known after apply)
+ network_tier = (known after apply)
}
}
+ reservation_affinity (known after apply)
+ scheduling (known after apply)
}
Plan: 1 to add, 0 to change, 0 to destroy.
Crear infra con apply
terraform apply
- Confirmar con
yes - Entrar a consola de GCP y mirar si se creo el recurso
- Destruir la infra creada
terraform destroy
- Agregar startup script para instalar nginx
metadata_startup_script = <<EOF
#!/bin/bash
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
sudo apt update
sudo apt install nginx
sudo systemctl enable nginx
sudo systemctl start nginx
EOF
-
Crear llave ssh
ssh-keygen -t rsa -b 2048 -f "nginx-server.key" -
Agregar resource de clave ssh
metadata = {
ssh-keys = "nginx-server-ssh: ${file("nginx-server.key.pub")}"
}
- Agregar resource de google firewall para abrir puertos http y ssh
resource "google_compute_firewall" "ssh" {
name = "allow-ssh"
project = "sils-keeper-infra"
allow {
ports = ["22"]
protocol = "tcp"
}
direction = "INGRESS"
network = "default"
priority = 1000
source_ranges = ["0.0.0.0/0"]
target_tags = ["nginx"]
}
resource "google_compute_firewall" "http" {
name = "allow-http"
project = "sils-keeper-infra"
allow {
ports = ["80"]
protocol = "tcp"
}
direction = "INGRESS"
network = "default"
priority = 1000
source_ranges = ["0.0.0.0/0"]
target_tags = ["nginx"]
}
resource "google_compute_firewall" "nginx-egress-all" {
name = "nginx-egress-all"
project = "sils-keeper-infra"
network = "default"
direction = "EGRESS"
allow {
protocol = "all"
}
destination_ranges = ["0.0.0.0/0"]
description = "Allow all outbound traffic"
target_tags = ["nginx"]
}
- Agregar tag en resource de compute engine para vincular las reglas de firewall
tags = ["nginx", "http-server"]
- archivo final
resource "google_compute_instance" "nginx-server" {
project = "sils-keeper-infra"
name = "nginx-server"
machine_type = "n1-standard-1"
zone = "us-central1-a"
tags = ["nginx", "http-server"]
boot_disk {
initialize_params {
image = "ubuntu-minimal-2210-kinetic-amd64-v20230126"
}
}
network_interface {
network = "default"
access_config {}
}
metadata_startup_script = <<EOF
#!/bin/bash
sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring
curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
gpg --dry-run --quiet --no-keyring --import --import-options import-show /usr/share/keyrings/nginx-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \
| sudo tee /etc/apt/preferences.d/99nginx
sudo apt update
sudo apt install nginx
sudo systemctl enable nginx
sudo systemctl start nginx
EOF
metadata = {
ssh-keys = "nginx-server-ssh: ${file("nginx-server.key.pub")}"
}
}
resource "google_compute_firewall" "ssh" {
name = "allow-ssh"
project = "sils-keeper-infra"
allow {
ports = ["22"]
protocol = "tcp"
}
direction = "INGRESS"
network = "default"
priority = 1000
source_ranges = ["0.0.0.0/0"]
target_tags = ["nginx"]
}
resource "google_compute_firewall" "http" {
name = "allow-http"
project = "sils-keeper-infra"
allow {
ports = ["80"]
protocol = "tcp"
}
direction = "INGRESS"
network = "default"
priority = 1000
source_ranges = ["0.0.0.0/0"]
target_tags = ["nginx"]
}
resource "google_compute_firewall" "nginx-egress-all" {
name = "nginx-egress-all"
project = "sils-keeper-infra"
network = "default"
direction = "EGRESS"
allow {
protocol = "all"
}
destination_ranges = ["0.0.0.0/0"]
description = "Allow all outbound traffic"
target_tags = ["nginx"]
}
- Ejecutar
terraform plan - Checkear que este todo ok!
- Ejecutar
terraform apply
Agregar tags
en resource de google_compute_instance agregar lo sisguiente:
labels = {
environment = "test"
owner = "julian_sanchez"
team = "sre"
project = "sils-keeper-infra"
}
terraform planterraform apply
Destruir infra creada
terraform destroy
NO OLVIDAR ESTO PORFA